Book an appointment with us, or search the directory to find the right lawyer for you directly through the app.
Find out moreOur knowledge, experience, and expertise are now available on the go.
We are proud to announce the launch of My Tamimi App, a convenient new tool for anyone with an interest in the legal sector, from law students to General Counsel.
Find out moreAndrew Fawcett - Senior Counsel - Technology, Media & Telecommunications
Krishna Jhala - Senior Associate - Technology, Media & Telecommunications
The Kingdom of Bahrain’s Law No. 30 of 2018 promulgating the Personal Data Protection Law (‘PDPL’), which came into effect on 1, August 2019, gives data subjects resident in the Kingdom the right to object to decisions made based only on automatic processing (Article 22 of the PDPL).
The banking and finance sector is likely to be impacted by this new statutory right.
An automated process for scoring loans can calculate and score qualitative and quantitative risk factors and weigh each according to the type of loan in order to automatically generate a loan decision.
Automating loan decisions are said to be highly beneficial to the banking and finance sector as a whole for the following reasons:
While described as a ‘right to object’ to decisions based on automated processing, the right granted under Article 22 to individuals (potential borrowers in this scenario) is actually a right to request processing in a manner that is not solely automated.
Article22 (1) states, in part (in its English translation):
“If a decision is based solely on automated processing of personal data intended to assess the data subject regarding his performance at work, financial standing, credit-worthiness, reliability or conduct, then the data subject shall have the right to request processing in a manner that is not solely automated.”
Re-consideration of the automated decision by an human is obligatory in these circumstances and must be done free of charge for the data subject.
The Board of the Personal Data Protection Authority (‘Authority’) is yet to issue a regulation specifying procedures relating to the submission and processing of the request under Article 22. Although, the Minister of Justice, Islamic Affairs and Awqaf has recently been tasked under Decree No. (78) of 2019 with the duties and powers prescribed under the PDPL for the Authority to date, no regulations have been issued regarding Article 22. What remains unclear is, whether in the absence of these processes, data subjects can exercise their rights under Article 22.
Further, the right to object under Article 22 expressly does not apply “in favour of the Data Subject, where the decision is taken in the course of entering into or performance of a contract with the data subject, provided that suitable measures to safeguard his legitimate interests have been taken, such as hearing the data subject’s view.”
It is worth noting that any person who incurs damage arising from processing of their personal data by a data controller (whether by automated means or otherwise) has the right under Article 57 of the PDPL to compel the data controller to pay compensation with a view to repairing the damage.
The right to object only applies to decisions that are based solely on automated processing of personal data. Where a loan decision is not fully automated, the right does not apply.
As noted above, the Authority has not issued any guidance on the application of Article 22(2) of the PDPL. However, this PDPL provision appears to be based on Article (22)(2)(a) and 22(3) of the European
Union’s General Data Protection Regulation (EU) 2016/679 (‘GDPR’).
These equivalent GDPR provisions likely provide some guidance for interpretation of the PDPL. Under the GDPR, a data subject does not have a right to object to a decision based solely on automated means if:
Guidelines for the GDPR produced by the advisory body known as the Article 29 Working Party (or WP29), gives examples of ‘suitable measures’ that enable the data subject to obtain human intervention, express their point of view and contest the decision.
Consequently, if for example, an online bank in Bahrain is offering loans and a decision on whether or not a loan should be offered based on an algorithm is taken, it appears under the PDPL the bank should:
Banks and other financers in the Kingdom of Bahrain do not necessarily use automated loan decisions for every type of loan offering considering that numerous factors make up their business strategies and lending decisions. However, if they do make a decision based solely on an algorithm or other automated process they need to be aware that:
For further information please contact, Andrew Fawcett (a.fawcett@tamimi.com) or Krishna Jhala (k.jhala@tamimi.com)
To learn more about our services and get the latest legal insights from across the Middle East and North Africa region, click on the link below.
Disclaimer: This chat service should not be relied upon as a substitute for professional advice which takes account of your specific circumstances and any changes in the law and practice. No warranty is made as to the accuracy or completeness of the information provided via this service and no liability is accepted by Al Tamimi & Company Limited, its affiliates, partners or employees for any loss arising as a result of reliance upon the information provided.
Kindly accept the disclaimer to proceed to a live chat.
Thank you for your inquiry. We will connect you to one of our agents now.
Thank you. Which service are you looking for?
Thank you for your interest in working with Al Tamimi & Company. Please click here to view our latest job openings.
Please click here leave a message and we will get back to you shortly.